Do you know if you’ve got a lawful basis for the client data you’re using?
Can you guarantee you have a lawful basis for holding and processing your clients’ information?
Did you realise that under GDPR you must consider six points to be sure of this?
Article 6 stipulates as such and it’s one of the key areas accountants will want to review for their practice – if they haven’t already.
The Information Commissioner’s Office states at least one of the following must apply:
3. Legal obligation
4. Vital interests
5. Public task
6. Legitimate interests
Largely speaking, of course, a client has given consent from the outset when they agreed to a letter of Engagement. It can be a problem, however, if the accountant is holding details on prospects for marketing.
6 points expanded
Some of the six points above are maybe obvious to understand, while others require more explanation.
The client must have given clear consent for you to process their personal data for a specific purpose, the ICO says, and/or it’s necessary to have for you to comply with the law.
It could be that the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
The processing may be necessary to protect someone’s life or because you need it to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
The last of the six points, according to the ICO, is that the processing is necessary for “your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests”.
If the data you’re holding fails to match any of these criteria, then you will need to delete it.
How IRIS software helps
In terms of how the six points factor into your IRIS software, it gives you the ability to create six attributes to mirror these when recording the data. Practice Management allows you to set these up and they sit next to the client on the program. One of the key benefits of the software is that you can carry out data mining on the clients and use that list for who to contact. However, you do need to keep track of why information is being held and it could evolve so must be reviewed on an ongoing basis.
Do I need this data?
A key thing to think about when requesting data in the first place is to ask: Is this really needed to achieve the required task? Do I have good reason to obtain this data?
Where sensitive personal data is concerned, it’s particularly important to make sure the least amount of required information is collected or retained for a specific duration, relevant to the circumstances.
Holding personal data on the off-chance that it might be useful in the future is no longer considered a legitimate reason for holding that information. However, the ICO have stated it is permissible to hold information for a foreseeable event that may never occur.
To address the points outlined above, it’s wise to consider implementing a data minimisation and retention policy. In other words, ensuring you only collect what you absolutely need and avoiding collecting and storing too much “dark” data. That is information that builds up but remains invisible to the business – it’s idle, unanalysed and without a clear owner.
The policy should also factor in how to avoid recording personal information such as login details to clients’ accounts, credit card information, and client passwords, especially within unmanaged freeform data fields such as client notes.
Lastly, it’s important to remember this. It’s about the right data for the right activity. It’s easy to fall into the trap that is about the products or the system you use. But it’s not. If you have clients’ data, it’s about what you are processing it for.
For more help on GDPR, visit our GDPR hub.